Microsoft team has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, in email communications as a vector to simultaneously trick users into visiting malicious websites while effectively bypassing security software.
In a blog post, the Microsoft 365 Defender Threat Intelligence Team said “Attackers combine these links with social engineering baits that impersonate well-known productivity tools and services to lure users into clicking.” The team added that “Doing so leads to a series of redirections – including a CAPTCHA verification page that adds a sense of legitimacy and attempts to evade some automated analysis systems – before taking the user to a fake sign-in page.” “This ultimately leads to credential compromise, which opens the user and their organization to other attacks,” the team said.
An open redirect is when a web application allows an HTTP parameter to contain a user-supplied URL that causes the HTTP request to be redirected to the referenced resource. The redirect links in email messages serve a vital tool to take recipients to third-party websites or track click rates and measure the success of sales and marketing campaigns. In this case, the same technique has been abused by adversaries to redirect such links to their own infrastructure and at the same time keeping the trusted domain in the full URL intact to evade analysis by anti-malware engines, even when users attempt to hover on links to check for any signs of suspicious content.
According to Microsoft, the messages in this particular campaign, according to the company, tend to follow a common pattern. They use a few generic subject lines in this manner:
[Recipient username] 1 New Notification
Report Status for [Recipient Domain Name] at [Date and Time]
Zoom Meeting for [Recipient Domain Name] at [Date and Time]
Status for [Recipient Domain Name] at [Date and Time]
Password Notification for [Recipient Domain Name] at [Date and Time]
[Recipient username] eNotification.
To give the attack a veneer of authenticity, clicking the specially-crafted links redirects the users to a malicious landing page that employs Google reCAPTCHA to block any dynamic scanning attempts. Upon completion of the CAPTCHA verification, the victims are displayed a fraudulent login page mimicking a known service like Microsoft Office 365 or Zoom, only to swipe their passwords upon submitting the information.
Microsoft says it has detected at least 350 unique phishing domains involved in this campaign to mislead unsuspecting victims. According to the Intelligence Team “This phishing campaign exemplifies the perfect storm of [social engineering, detection evasion, and a large attack infrastructure] in its attempt to steal credentials and ultimately infiltrate a network.” The team added, “Organizations must therefore have a security solution that will provide them multi-layered defense against these types of attacks, given that 91% of all cyber-attacks originate with email.”
Olagoke Ajibola is a creative writer and content producer with an eye for details and excellence. He has a demonstrated history of telling stories for TV, Film and Online. Aside from being fascinated by the power of imagination, his other interest are travel, sport, reading and meeting people.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behaviour or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Microsoft team has warned that it has been tracking a widespread credential-phishing campaign that relies on open redirector links, in email communications as a vector to simultaneously trick users into visiting malicious websites while effectively bypassing security software.
